<!DOCTYPE html>
<html>
<head>
  <meta charset="UTF-8">
  <title>chunk_analyzer 模块评估报告 - bb1559</title>
  <style>
    body { font-family: Arial, sans-serif; line-height: 1.6; margin: 0; padding: 20px; color: #333; }
    h1, h2, h3 { color: #2c3e50; }
    .container { max-width: 1200px; margin: 0 auto; }
    .card { background: #fff; border-radius: 5px; box-shadow: 0 2px 5px rgba(0,0,0,0.1); margin-bottom: 20px; padding: 20px; }
    .success { color: #27ae60; }
    .error { color: #e74c3c; }
    .info { color: #3498db; }
    table { width: 100%; border-collapse: collapse; margin: 10px 0; }
    th, td { text-align: left; padding: 12px; border-bottom: 1px solid #eee; }
    th { background-color: #f8f9fa; }
    tr:hover { background-color: #f5f5f5; }
    pre { background: #f8f9fa; padding: 15px; border-radius: 5px; overflow-x: auto; }
    .progress-container { width: 100%; background-color: #f1f1f1; border-radius: 5px; }
    .progress-bar { height: 20px; border-radius: 5px; }
    .success-bg { background-color: #4CAF50; }
    .pending-bg { background-color: #2196F3; }
    .error-bg { background-color: #f44336; }
    .tag { display: inline-block; padding: 3px 8px; border-radius: 3px; font-size: 12px; font-weight: bold; }
    .tag-success { background-color: #e8f5e9; color: #2e7d32; }
    .tag-error { background-color: #ffebee; color: #c62828; }
    .tag-pending { background-color: #e3f2fd; color: #1565c0; }
  </style>
</head>
<body>
  <div class="container">
    <h1>chunk_analyzer 模块评估报告</h1>
    
    <div class="card">
      <h2>基本信息</h2>
      <table>
        <tr>
          <td width="150"><strong>模块名称</strong></td>
          <td>chunk_analyzer</td>
        </tr>
        <tr>
          <td><strong>模块类型</strong></td>
          <td>ModuleType.CHUNK_ANALYZER</td>
        </tr>
        <tr>
          <td><strong>提交SHA</strong></td>
          <td>bb15591646687064ab2d578d5f9660b2a4168017.patch</td>
        </tr>
        <tr>
          <td><strong>目标版本</strong></td>
          <td>release-6.0.8</td>
        </tr>
        <tr>
          <td><strong>执行时间</strong></td>
          <td>2025-05-22T18:21:23.283128</td>
        </tr>
        <tr>
          <td><strong>状态</strong></td>
          <td>
            <span class="tag tag-success">成功</span>
          </td>
        </tr>
      </table>
    </div>
    
    <div class="card">
      <h2>输入信息</h2>
      <table>
        
                <tr>
                  <td width="200"><strong>原始补丁路径</strong></td>
                  <td>/home/elpsy/workspace/sow/patch-backport/workspace/phusion/passenger/bb1559/patches/upstream_bb1559.patch</td>
                </tr>
                
                <tr>
                  <td width="200"><strong>代码仓库路径</strong></td>
                  <td>/home/elpsy/.cache/port-patch/passenger</td>
                </tr>
                
      </table>
    </div>
    
    <div class="card">
      <h2>输出信息</h2>
      <table>
        
                <tr>
                  <td width="200"><strong>状态</strong></td>
                  <td>成功</td>
                </tr>
                
                <tr>
                  <td width="200"><strong>成功次数</strong></td>
                  <td>1</td>
                </tr>
                
                <tr>
                  <td width="200"><strong>总尝试次数</strong></td>
                  <td>1</td>
                </tr>
                
                <tr>
                  <td width="200"><strong>执行时间</strong></td>
                  <td>0.062735</td>
                </tr>
                
                <tr>
                  <td width="200"><strong>总块数</strong></td>
                  <td>6</td>
                </tr>
                
                <tr>
                  <td width="200"><strong>成功应用块数</strong></td>
                  <td>1</td>
                </tr>
                
                <tr>
                  <td width="200"><strong>成功率</strong></td>
                  <td>16.67%</td>
                </tr>
                
                <tr>
                  <td width="200"><strong>剩余补丁路径</strong></td>
                  <td>/home/elpsy/workspace/sow/patch-backport/workspace/phusion/passenger/bb1559/chunk_patches/remaining_chunks_20250522_182123.patch</td>
                </tr>
                
      </table>
    </div>
    
    
        <div class="card">
          <h2>补丁块应用统计</h2>
          
          <div class="progress-container">
            <div class="progress-bar success-bg" style="width: 16%"></div>
          </div>
          <p>
            成功应用 <strong class="success">1</strong> 个块，
            总共 <strong>6</strong> 个块
            (成功率: <strong>16.7%</strong>)
          </p>
        </div>
        
        <div class="card">
          <h2>补丁内容详情</h2>
          <div class="tabs">
            <div class="tab-header">
              <button class="tab-button active" onclick="openTab(event, 'original-patch')">原始补丁</button>
              <button class="tab-button" onclick="openTab(event, 'applied-patches')">应用成功的补丁</button>
              <button class="tab-button" onclick="openTab(event, 'remaining-patch')">未应用成功的补丁</button>
            </div>
            
            <div id="original-patch" class="tab-content" style="display:block;">
              <h3>原始补丁内容</h3>
              <div class="code-container">
                <pre class="code-block">From bb15591646687064ab2d578d5f9660b2a4168017 Mon Sep 17 00:00:00 2001
From: Camden Narzt &lt;c.narzt@me.com&gt;
Date: Tue, 18 Feb 2025 07:57:54 -0700
Subject: [PATCH] Fix header parser

---
 CHANGELOG                                     |  2 +-
 .../ServerKit/HttpHeaderParser.h              | 40 +++++++++----------
 test/cxx/ServerKit/HttpServerTest.cpp         | 27 ++++++++++++-
 3 files changed, 46 insertions(+), 23 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 5b3340c6aa..f2c556828c 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,6 @@
 Release 6.0.26 (Not yet released)
 -------------
- * 
+ * [CVE-2025-26803] The http parser (from Passenger 6.0.21-6.0.25) was susceptible to a denial of service attack when parsing a request with an invalid HTTP method.
 
 
 Release 6.0.25
diff --git a/src/cxx_supportlib/ServerKit/HttpHeaderParser.h b/src/cxx_supportlib/ServerKit/HttpHeaderParser.h
index d43d4fe31e..1b01860707 100644
--- a/src/cxx_supportlib/ServerKit/HttpHeaderParser.h
+++ b/src/cxx_supportlib/ServerKit/HttpHeaderParser.h
@@ -119,31 +119,26 @@ class HttpHeaderParser {
 	}
 
 	static size_t http_parser_execute_and_handle_pause(llhttp_t *parser,
-		const char *data, size_t len, bool &paused)
+		const char *data, size_t len)
 	{
 		llhttp_errno_t rc = llhttp_get_errno(parser);
 		switch (rc) {
 		case HPE_PAUSED_UPGRADE:
 			llhttp_resume_after_upgrade(parser);
+			rc = llhttp_get_errno(parser);
 			goto happy_path;
 		case HPE_PAUSED:
 			llhttp_resume(parser);
+			rc = llhttp_get_errno(parser);
 			goto happy_path;
 		case HPE_OK:
+			rc = llhttp_execute(parser, data, len);
 		happy_path:
-			switch (llhttp_execute(parser, data, len)) {
-			case HPE_PAUSED_H2_UPGRADE:
-			case HPE_PAUSED_UPGRADE:
-			case HPE_PAUSED:
-				paused = true;
-				return (llhttp_get_error_pos(parser) - data);
-			case HPE_OK:
+			if (rc == HPE_OK) {
 				return len;
-			default:
-				goto error_path;
-			}
+            }
+			// deliberate fall through
         default:
-		error_path:
 			return (llhttp_get_error_pos(parser) - data);
 		}
 	}
@@ -488,20 +483,22 @@ class HttpHeaderParser {
 		TRACE_POINT();
 		P_ASSERT_EQ(message-&gt;httpState, Message::PARSING_HEADERS);
 
-		size_t ret;
-		bool paused;
-
 		state-&gt;parser.data = this;
 		currentBuffer = &buffer;
-		ret = http_parser_execute_and_handle_pause(&state-&gt;parser,
-			buffer.start, buffer.size(), paused);
+		size_t ret = http_parser_execute_and_handle_pause(&state-&gt;parser,
+			buffer.start, buffer.size());
 		currentBuffer = NULL;
 
-		if (!llhttp_get_upgrade(&state-&gt;parser) && ret != buffer.size() && !paused || !paused && llhttp_get_errno(&state-&gt;parser) != HPE_OK) {
+		llhttp_errno_t llerrno = llhttp_get_errno(&state-&gt;parser);
+
+		bool paused = (llerrno == HPE_PAUSED_H2_UPGRADE || llerrno == HPE_PAUSED_UPGRADE || llerrno == HPE_PAUSED);
+
+		if ( (!llhttp_get_upgrade(&state-&gt;parser) && ret != buffer.size() && !paused) ||
+		 (llerrno != HPE_OK && !paused) ) {
 			UPDATE_TRACE_POINT();
 			message-&gt;httpState = Message::ERROR;
-			switch (llhttp_get_errno(&state-&gt;parser)) {
-			case HPE_CB_HEADER_FIELD_COMPLETE://?? does this match was HPE_CB_header_field in old one
+			switch (llerrno) {
+			case HPE_CB_HEADER_FIELD_COMPLETE:// does this match? was HPE_CB_header_field in old impl
 			case HPE_CB_HEADERS_COMPLETE:
 				switch (state-&gt;state) {
 				case HttpHeaderParserState::ERROR_SECURITY_PASSWORD_MISMATCH:
@@ -526,9 +523,10 @@ class HttpHeaderParser {
 				break;
 			default:
 				default_error:
-				message-&gt;aux.parseError = HTTP_PARSER_ERRNO_BEGIN - llhttp_get_errno(&state-&gt;parser);
+				message-&gt;aux.parseError = HTTP_PARSER_ERRNO_BEGIN - llerrno;
 				break;
 			}
+			llhttp_finish(&state-&gt;parser);
 		} else if (messageHttpStateIndicatesCompletion(MessageType())) {
 			UPDATE_TRACE_POINT();
 			message-&gt;httpMajor = llhttp_get_http_major(&state-&gt;parser);
diff --git a/test/cxx/ServerKit/HttpServerTest.cpp b/test/cxx/ServerKit/HttpServerTest.cpp
index df87b5daaf..9fb0ad952f 100644
--- a/test/cxx/ServerKit/HttpServerTest.cpp
+++ b/test/cxx/ServerKit/HttpServerTest.cpp
@@ -806,6 +806,32 @@ namespace tut {
 			"hello /");
 	}
 
+	TEST_METHOD(19) {
+		set_test_name("It responds with correct error if http method is not recognized");
+
+		// send invalid request
+		connectToServer();
+		sendRequest("BAD_METHOD / HTTP/1.1\r\n"
+					"Connection: close\r\n" 
+					"Host: foo\r\n\r\n");
+		string response = readAll(fd, 1024).first;
+
+		ensure("Response starts with error",
+			   startsWith(response,
+						  "HTTP/1.0 400 Bad Request\r\n"
+						  "Status: 400 Bad Request\r\n"
+						  "Content-Type: text/html; charset=UTF-8\r\n"));
+
+		ensure("Response ends with error",
+			   endsWith(response,
+						"Connection: close\r\n"
+						"Content-Length: 19\r\n"
+						"cache-control: no-cache, no-store, must-revalidate\r\n"
+						"\r\n"
+						"invalid HTTP method"));
+		ensure_equals("Response size is correct", response.size(), 242u);
+	}
+
 	/***** Fixed body handling *****/
 
 	TEST_METHOD(20) {
@@ -1477,7 +1503,6 @@ namespace tut {
 		ensure("(1)", containsSubstring(response, "HTTP/1.1 400 Bad Request\r\n"));
 	}
 
-
 	/***** Secure headers handling *****/
 
 	TEST_METHOD(60) {
</pre>
              </div>
            </div>
            
            <div id="applied-patches" class="tab-content">
              <h3>应用成功的补丁内容</h3>
              <div class="code-container">
                <pre class="code-block">

# ===== 应用成功的补丁块 1 =====

From bb15591646687064ab2d578d5f9660b2a4168017 Mon Sep 17 00:00:00 2001
From: Camden Narzt &lt;c.narzt@me.com&gt;
Date: Tue, 18 Feb 2025 07:57:54 -0700
Subject: [PATCH] Fix header parser

---
 CHANGELOG                                     |  2 +-
 .../ServerKit/HttpHeaderParser.h              | 40 +++++++++----------
 test/cxx/ServerKit/HttpServerTest.cpp         | 27 ++++++++++++-
 3 files changed, 46 insertions(+), 23 deletions(-)

diff --git a/test/cxx/ServerKit/HttpServerTest.cpp b/test/cxx/ServerKit/HttpServerTest.cpp
index df87b5daaf..9fb0ad952f 100644
--- a/test/cxx/ServerKit/HttpServerTest.cpp
+++ b/test/cxx/ServerKit/HttpServerTest.cpp
@@ -1477,7 +1503,6 @@ namespace tut {
 		ensure("(1)", containsSubstring(response, "HTTP/1.1 400 Bad Request\r\n"));
 	}
 
-
 	/***** Secure headers handling *****/
 
 	TEST_METHOD(60) {
</pre>
              </div>
            </div>
            
            <div id="remaining-patch" class="tab-content">
              <h3>未应用成功的补丁内容</h3>
              <div class="code-container">
                <pre class="code-block">From bb15591646687064ab2d578d5f9660b2a4168017 Mon Sep 17 00:00:00 2001
From: Camden Narzt &lt;c.narzt@me.com&gt;
Date: Tue, 18 Feb 2025 07:57:54 -0700
Subject: [PATCH] Fix header parser

---
 CHANGELOG                                     |  2 +-
 .../ServerKit/HttpHeaderParser.h              | 40 +++++++++----------
 test/cxx/ServerKit/HttpServerTest.cpp         | 27 ++++++++++++-
 3 files changed, 46 insertions(+), 23 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 5b3340c6aa..f2c556828c 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,6 @@
 Release 6.0.26 (Not yet released)
 -------------
- * 
+ * [CVE-2025-26803] The http parser (from Passenger 6.0.21-6.0.25) was susceptible to a denial of service attack when parsing a request with an invalid HTTP method.
 
 
 Release 6.0.25
diff --git a/src/cxx_supportlib/ServerKit/HttpHeaderParser.h b/src/cxx_supportlib/ServerKit/HttpHeaderParser.h
index d43d4fe31e..1b01860707 100644
--- a/src/cxx_supportlib/ServerKit/HttpHeaderParser.h
+++ b/src/cxx_supportlib/ServerKit/HttpHeaderParser.h
@@ -119,31 +119,26 @@ class HttpHeaderParser {
 	}
 
 	static size_t http_parser_execute_and_handle_pause(llhttp_t *parser,
-		const char *data, size_t len, bool &paused)
+		const char *data, size_t len)
 	{
 		llhttp_errno_t rc = llhttp_get_errno(parser);
 		switch (rc) {
 		case HPE_PAUSED_UPGRADE:
 			llhttp_resume_after_upgrade(parser);
+			rc = llhttp_get_errno(parser);
 			goto happy_path;
 		case HPE_PAUSED:
 			llhttp_resume(parser);
+			rc = llhttp_get_errno(parser);
 			goto happy_path;
 		case HPE_OK:
+			rc = llhttp_execute(parser, data, len);
 		happy_path:
-			switch (llhttp_execute(parser, data, len)) {
-			case HPE_PAUSED_H2_UPGRADE:
-			case HPE_PAUSED_UPGRADE:
-			case HPE_PAUSED:
-				paused = true;
-				return (llhttp_get_error_pos(parser) - data);
-			case HPE_OK:
+			if (rc == HPE_OK) {
 				return len;
-			default:
-				goto error_path;
-			}
+            }
+			// deliberate fall through
         default:
-		error_path:
 			return (llhttp_get_error_pos(parser) - data);
 		}
 	}
@@ -488,20 +483,22 @@ class HttpHeaderParser {
 		TRACE_POINT();
 		P_ASSERT_EQ(message-&gt;httpState, Message::PARSING_HEADERS);
 
-		size_t ret;
-		bool paused;
-
 		state-&gt;parser.data = this;
 		currentBuffer = &buffer;
-		ret = http_parser_execute_and_handle_pause(&state-&gt;parser,
-			buffer.start, buffer.size(), paused);
+		size_t ret = http_parser_execute_and_handle_pause(&state-&gt;parser,
+			buffer.start, buffer.size());
 		currentBuffer = NULL;
 
-		if (!llhttp_get_upgrade(&state-&gt;parser) && ret != buffer.size() && !paused || !paused && llhttp_get_errno(&state-&gt;parser) != HPE_OK) {
+		llhttp_errno_t llerrno = llhttp_get_errno(&state-&gt;parser);
+
+		bool paused = (llerrno == HPE_PAUSED_H2_UPGRADE || llerrno == HPE_PAUSED_UPGRADE || llerrno == HPE_PAUSED);
+
+		if ( (!llhttp_get_upgrade(&state-&gt;parser) && ret != buffer.size() && !paused) ||
+		 (llerrno != HPE_OK && !paused) ) {
 			UPDATE_TRACE_POINT();
 			message-&gt;httpState = Message::ERROR;
-			switch (llhttp_get_errno(&state-&gt;parser)) {
-			case HPE_CB_HEADER_FIELD_COMPLETE://?? does this match was HPE_CB_header_field in old one
+			switch (llerrno) {
+			case HPE_CB_HEADER_FIELD_COMPLETE:// does this match? was HPE_CB_header_field in old impl
 			case HPE_CB_HEADERS_COMPLETE:
 				switch (state-&gt;state) {
 				case HttpHeaderParserState::ERROR_SECURITY_PASSWORD_MISMATCH:
@@ -526,9 +523,10 @@ class HttpHeaderParser {
 				break;
 			default:
 				default_error:
-				message-&gt;aux.parseError = HTTP_PARSER_ERRNO_BEGIN - llhttp_get_errno(&state-&gt;parser);
+				message-&gt;aux.parseError = HTTP_PARSER_ERRNO_BEGIN - llerrno;
 				break;
 			}
+			llhttp_finish(&state-&gt;parser);
 		} else if (messageHttpStateIndicatesCompletion(MessageType())) {
 			UPDATE_TRACE_POINT();
 			message-&gt;httpMajor = llhttp_get_http_major(&state-&gt;parser);
diff --git a/test/cxx/ServerKit/HttpServerTest.cpp b/test/cxx/ServerKit/HttpServerTest.cpp
index df87b5daaf..9fb0ad952f 100644
--- a/test/cxx/ServerKit/HttpServerTest.cpp
+++ b/test/cxx/ServerKit/HttpServerTest.cpp
@@ -806,6 +806,32 @@ namespace tut {
 			"hello /");
 	}
 
+	TEST_METHOD(19) {
+		set_test_name("It responds with correct error if http method is not recognized");
+
+		// send invalid request
+		connectToServer();
+		sendRequest("BAD_METHOD / HTTP/1.1\r\n"
+					"Connection: close\r\n" 
+					"Host: foo\r\n\r\n");
+		string response = readAll(fd, 1024).first;
+
+		ensure("Response starts with error",
+			   startsWith(response,
+						  "HTTP/1.0 400 Bad Request\r\n"
+						  "Status: 400 Bad Request\r\n"
+						  "Content-Type: text/html; charset=UTF-8\r\n"));
+
+		ensure("Response ends with error",
+			   endsWith(response,
+						"Connection: close\r\n"
+						"Content-Length: 19\r\n"
+						"cache-control: no-cache, no-store, must-revalidate\r\n"
+						"\r\n"
+						"invalid HTTP method"));
+		ensure_equals("Response size is correct", response.size(), 242u);
+	}
+
 	/***** Fixed body handling *****/
 
 	TEST_METHOD(20) {
</pre>
              </div>
            </div>
          </div>
        </div>
        
                <div class="card">
                  <h2>应用成功的补丁块</h2>
                  <table>
                    <tr>
                      <th>块索引</th>
                      <th>修改文件</th>
                      <th>修改位置</th>
                      <th>操作</th>
                    </tr>
                    
                    <tr>
                      <td>1</td>
                      <td>test/cxx/ServerKit/HttpServerTest.cpp</td>
                      <td>1477-1503</td>
                      <td><a href="applied_chunk_1.diff" target="_blank">查看</a></td>
                    </tr>
                    
                  </table>
                </div>
                
            <div class="card">
              <h2>剩余补丁</h2>
              <p>有 <strong class="info">5</strong> 个块未成功应用，已生成剩余补丁:</p>
              <p><code>/home/elpsy/workspace/sow/patch-backport/workspace/phusion/passenger/bb1559/chunk_patches/remaining_chunks_20250522_182123.patch</code></p>
              <p><a href="remaining_patch.diff" target="_blank">查看剩余补丁</a></p>
            </div>
            
        <style>
        .code-container {
          max-height: 500px;
          overflow-y: auto;
          background-color: #f8f9fa;
          border-radius: 5px;
          border: 1px solid #eee;
        }
        
        .code-block {
          padding: 15px;
          margin: 0;
          white-space: pre-wrap;
          font-family: monospace;
          font-size: 13px;
          line-height: 1.4;
        }
        
        /* 为补丁内容添加语法高亮 */
        .code-block .add {
          background-color: #e6ffed;
          color: #22863a;
        }
        
        .code-block .remove {
          background-color: #ffeef0;
          color: #cb2431;
        }
        
        .code-block .hunk {
          color: #0366d6;
          background-color: #f1f8ff;
        }
        
        .code-block .header {
          color: #6f42c1;
          font-weight: bold;
        }
        </style>
        
        <script>
        // 对补丁内容应用简单的语法高亮
        document.addEventListener('DOMContentLoaded', function() {
          const codeBlocks = document.querySelectorAll('.code-block');
          codeBlocks.forEach(function(block) {
            let html = block.innerHTML;
            
            // 替换添加的行
            html = html.replace(/^(\+[^+].*)/gm, '<span class="add">$1</span>');
            
            // 替换删除的行
            html = html.replace(/^(-[^-].*)/gm, '<span class="remove">$1</span>');
            
            // 替换区块头
            html = html.replace(/^(@@.*@@)/gm, '<span class="hunk">$1</span>');
            
            // 替换diff头 - 修复无效转义序列
            html = html.replace(/^(diff --git.*|index.*|---.*|\+\+\+.*)/gm, '<span class="header">$1</span>');
            
            block.innerHTML = html;
          });
        });
        </script>
        
    
  </div>
</body>
</html>